The present invention relates to an information processing system, an information processing apparatus, a registration server, a control program, and a control method. In particular, the present invention relates to an information processing system, an information processing apparatus, a registration server, a control program, and a control method that protect data by means of password authentication.
There is a method for managing personal data of each of users sharing the same information processing apparatus to prevent the personal data from being referred to by the other users by using a management function of an system (hereinafter referred to as the OS). For example, an OS controls access to a storage area in which personal data is stored and permits access to the storage area only if a password is entered. Also, a file encryption tool can be used to encrypt and store a file in a manner that the file can be decrypted only if a password is entered.
However, in relatively small companies, it is often the case that the authority of an OS administrator is not clearly defined and one of the users sharing an information processing apparatus also serves as the OS administrator. Furthermore, an administrator may accidentally install spyware that performs keyboard logging or the like, depending on the administrator's ability and knowledge. Consequently, the passwords or personal data of the users sharing the information processing apparatus can be read or tampered by another sharing user.
The capability of recording a history of access to personal data can be set to watch for unauthorized access. However, if a password itself is stolen, it is difficult to separate a tiny number of records of unauthorized access from the records of authorized access. Furthermore, it would be a burden to the users to frequently check the access history. Although various other means may be possible, it is inherently difficult to ensure privacy of personal data in a system in which the OS administrator has control over all the authority on the information processing apparatus.
On the other hand, a technology has been used that sets a password for controlling access to a hard disk drive (hereinafter referred to as an HDD). Because a password set to an HDD is recorded on the HDD in a dispersed manner according to a certain algorithm when the password is set, it is difficult to perform unauthorized reading of the password. Unlike a password managed by an OS, authentication of the password set to the HDD is performed before activation of the OS. If the password is authenticated, the HDD is made accessible and the OS is activated. Therefore, even the OS administrator cannot access data in the HDD without knowledge of the password for the HDD.
Patent Document 1 will be referred to below.
[Patent Document 1] Laid-Open Japanese Patent Application No. 2000-215167
When executing the following two application programs, a user cannot enter an HDD password. Therefore access to the HDD remains prohibited and these programs are activated in limited ways.
(1) A service for resetting an HDD password of a user if the user forgets the HDD password
(2) A service for delivering a certain file from a remote server over a network through the use of remote activation (see Patent Document 1, for example)
Because it is essentially of no use to store these service programs in an HDD, they may be stored in a non-volatile memory, such as a ROM, other than the HDD. However, it is not cost effective to make a ROM, which has a limited code storage capacity, accommodate the size of the programs that require to implement complicated functions, such as a network connection function and multi-language supporting function, for providing the above-mentioned services. Another known solution that does not use an HDD is to transfer a required program itself from a PXE (Preboot eXecution Environment) server provided in the same subnetwork within a LAN to a main memory in an information processing apparatus and activates the program. However, there are problems in that installation and maintenance costs for the PXE server are required and that such a program activation method cannot be used in a network environment in which no PXE server is provided. Further, even if a PXE server can be used to solve the problem of activating the program for performing the service mentioned under item (2), there remains another essential problem that no location is available to store or save a file delivered by the service in a state where access to a local HDD is prohibited.
There is another solution to the condition in which a user cannot enter an HDD password. An HDD password, which would otherwise be stored only in an HDD, is backed up onto a non-volatile memory (such as a battery-backup CMOS or EEPROM) on a system board that is accessible to a BIOS code. According to this method, the HDD can be made accessible by sending the HDD password to the HDD by the BIOS itself if the user cannot enter the HDD password. Furthermore, most personal computers include, in addition to a password for restricting access to an HDD (HDD password), a power-on password (POP) by which a BIOS itself restricts activation of the system. Therefore, in some cases, the same character string is used as the POP and HDD password to provide the backup function described above. That is, this approach tries to solve the problem on the basis of password usage by recommending the user to set the same character string as both the POP and HDD passwords in order to implement the service mentioned under item (2).
However, a malicious third party can insert a special cable that provides electrical interface between the HDD and the motherboard of the main unit which are interconnected through a connector and wiretap an HDD password which is automatically transmitted at an expected timing of remote activation, by abusing the function of the BIOS's function of automatically reading the same HDD password from the backup area and sending it to the HDD even if the user does not directly enter the password. Therefore, the solutions using HDD password backup are risky in terms of security. A POP can easily be read from a non-volatile memory on an internal motherboard by opening up the housing of the system, bring a commercially-available instrument such as a locator into direct contact with a specific position of the non-volatile memory, and electrically accessing it. In contrast, special security considerations are given to an HDD password as described above. That is, the security reliability of an HDD password inherently differs from that of a POP, which is protected from being accessed from other software codes simply by restricting access to the POP to BIOS codes. Therefore, the above-described solution in which the user uses the same character string for both HDD password and POP reduces the security level of the HDD password to that of the POP, leading to a crucial problem of decreasing the security level of the entire system.